eAvioraAviation Safety Intelligence
00OPERATIONS · TRUST CENTER

Trust center.
Where your data lives. How it's protected. Who processes it.

Aviation safety data is regulated by national civil aviation authorities (FAA, EASA, Transport Canada, ICAO Annex 19). Every page in this tenant ships with the audit trail, retention controls, and confidentiality posture a safety regulator would expect.

01WHERE YOUR DATA LIVES

Data residency

Primary region
Canada (ca-central-1)All operator records — database + file storage — single-region.
Application compute
Global edgeNo persistent storage at the edge. Compute is ephemeral and stateless.
CDN + DNS
Global anycastTLS 1.3 termination + DDoS protection at the edge.
Backups
Point-in-time recovery · 7 daysRPO ≤ 1 minute. RTO ≤ 1 hour.
02ENCRYPTION

At rest + in transit

At rest
  • Database — AES-256 disk encryption + row-level isolation per operator
  • File storage — AES-256 object encryption
  • Secrets (webhook secrets, API keys) — hashed at rest · plaintext returned once at create
  • Reporter identity (anonymous + confidential modes) — dropped at write time, NOT encrypted-then-released; identity is unrecoverable by design
In transit
  • TLS 1.3 enforced edge-to-origin
  • HSTS preload · 1-year max-age · includeSubDomains
  • Outbound webhooks signed with HMAC-SHA256 — receiver verifies via shared secret
  • Background-worker events signed by the runtime — replay-resistant
03TENANT ISOLATION

5-layer defense in depth

Single-database multi-tenant. Defense lives in 5 layers — if any one fails, the next still holds.

L1
Application

Every server-side endpoint filters records by the calling operator's org ID. Enforced by middleware on every request — no endpoint touches tenant data without a tenant in context.

L2
Per-query org filter

Every database query that touches an org-scoped table includes the operator's org ID as part of the WHERE clause. A CI gate blocks any new server endpoint that lacks the filter.

L3
Background-worker tenant context

Background workers wrap every cross-tenant operation in a per-org context. Even cross-tenant aggregations cannot read across operators — the context resets between operators.

L4
Public API surface denied by default

External-facing database roles cannot read any tenant data. The path is closed at the database role level, not just the application — even if a public client key were leaked, it would not read across operators.

L5
Database row-level security

Row-level security is enabled and forced on every tenant-scoped table. The database itself refuses cross-tenant reads — defense in depth for the day any earlier layer might fail.

04AUTHENTICATION

Methods supported

Pick the one your IdP uses; mix and match per tenant.

METHODWHEN USEDNOTES
Email + password
Default for individual users
bcrypt hash · HIBP password breach check on every set
Magic-link email
Passwordless reduces phishing surface
Single-use token, 60-min expiry
OAuth (Google)
For tenants on Google Workspace
Email-domain pinned to tenant on first link
SAML 2.0
Enterprise IdP (Okta, Azure AD, etc.)
Per-tenant SP-initiated · just-in-time provisioning
SCIM 2.0
IdP-driven user lifecycle
Bearer-token authed · automatic deprovisioning
WebAuthn passkeys
Phishing-resistant 2nd factor
FIDO2 · device-bound · no shared secret
05SUB-PROCESSORS

Categories that touch your data

Service categories in the processing chain. Vendor names + DPAs in Privacy 09 + Terms 09.

CATEGORYREGIONROLE
Database
ca-central-1 (Canada)
Tenant data, audit log, AI execution log. Encrypted at rest, isolated per operator.
Hosting & edge
Application + static assets served from a global edge with automatic SSL.
AI provider
Calibrated AI agents for classification, risk, bowtie and precursor detection.
Background processing
Durable workers for notifications, retention, scheduled reports and webhook delivery.
Email delivery
Transactional email for notifications, magic-links and digests.
Identity & storage
Sessions, file uploads, OAuth, SAML callback for enterprise identity providers.
Security monitoring
Error tracking and observability across the application.
Payments
Subscription billing for paid plans (handled by an external processor — eAviora never stores card data).
DNS & DDoS protection
Authoritative DNS, DDoS mitigation and TLS at the edge.
Full vendor names + DPA URLs: /privacy 09 · /terms 09.
06AUDIT POSTURE

Every mutation is logged

Coverage

Every server-side change to your data writes an audit-log row. Coverage is enforced by a CI gate — no mutation ships without one.

Surface

Self-serve viewer at /settings/audit-log — filter by actor, action, entity, time window. Export to JSON / CSV.

Retention

Defaults to 365 days. Per-tenant retention controls live at /settings/data — within regulatory minimums set by your civil aviation authority.

07COMPLIANCE

Where we stand

Aviation safety regulators

The platform is built to support audits by national civil aviation authorities (FAA Part 5 SMS, EASA Part-ORO Appendix 4, Transport Canada CAR 705, ICAO Annex 19). The audit-log surface, retention controls, and reporter-confidentiality model are designed for a regulator showing up with a notebook.

SOC2 Type 2
In preparation

We are running our SOC2 Type 2 readiness audit in 2026. Procurement teams that need a pre-audit questionnaire response can email trust@eaviora.com — we will share our control matrix.

GDPR + UK GDPR

DPA available on request — email privacy@eaviora.com. Standard Contractual Clauses available for cross-border transfers (US sub-processors above).

08DATA OWNERSHIP

Export everything, any time

Your data is yours. Trigger a full export any time.

/settings/data → EXPORT EVERYTHING queues a complete JSON bundle of every record in your tenant: occurrences, hazards, SPIs, actions, audits, investigations, documents, training records and the full audit log. The bundle is built asynchronously and delivered as a 7-day signed download link by email. Re-importable into any other vendor or held for your own archives. No support ticket required.

09VULNERABILITY DISCLOSURE

Found something? Tell us.

Email security@eaviora.com with reproduction steps, the affected tenant (your tenant ID is sufficient), and your preferred disclosure window. We acknowledge within 24 hours, ship a fix or mitigation within 7 days for Critical / High, and credit you in the advisory unless you ask us not to. We do not litigate good-faith research.